[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#6789: MD5 is broken
From: |
Pádraig Brady |
Subject: |
bug#6789: MD5 is broken |
Date: |
Tue, 10 Aug 2010 02:06:18 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 |
On 09/08/10 07:28, Paul Eggert wrote:
> On 08/08/10 06:26, Bruno Haible wrote:
>> Here is a proposed patch to make this clearer.
>
> I like this patch, except I have qualms about
> putting a Wikipedia URL in the documentation, as
> Wikipedia is not that stable. Perhaps
> <http://www.kb.cert.org/vuls/id/836068> would
> be a better URL. Also, the --help output shouldn't
> point to Wikipedia (or to CERT, for that matter);
> it should at most refer to the coreutils manual.
>
> Jim and/or Pádraig may have better advice here.
We don't need to hand hold people interested
in the details of MD5 weaknesses. They'll be well
able to find the pertinent info. Therefore in the
amended patch below I've just removed the URL.
I also removed the addition to --help
(and consequently the man page), as I think it's overkill.
If we were to add something to --help it should
probably be also done for sha1sum, but the amended
texinfo is enough I think.
cheers,
Pádraig.
commit 4caf1adec8e6ce0cb7ab75365ab312411b2d47bd
Author: Bruno Haible <address@hidden>
Date: Tue Aug 10 01:56:36 2010 +0100
doc: improve the info on md5sum security weaknesses
* doc/coreutils.texi (md5sum invocation): Mention currently known
security problems. Don't recommend SHA-1 as alternative.
Reported by Simon Josefsson
diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index 942978f..e0e308b 100644
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -3414,14 +3414,12 @@ options}.
Note: The MD5 digest is more reliable than a simple CRC (provided by
the @command{cksum} command) for detecting accidental file corruption,
as the chances of accidentally having two files with identical MD5
-are vanishingly small. However, it should not be considered truly
-secure against malicious tampering: although finding a file with a
-given MD5 fingerprint, or modifying a file so as to retain its MD5 are
-considered infeasible at the moment, it is known how to produce
-different files with identical MD5 (a ``collision''), something which
-can be a security issue in certain contexts. For more secure hashes,
-consider using SHA-1 or SHA-2. @xref{sha1sum invocation}, and
address@hidden utilities}.
+are vanishingly small. However, it should not be considered secure
+against malicious tampering: although finding a file with a given MD5
+fingerprint is considered infeasible at the moment, it is known how
+to modify certain files, including digital certificates, so that they
+appear valid when signed with an MD5 digest.
+For more secure hashes, consider using SHA-2. @xref{sha2 utilities}.
If a @var{file} is specified as @samp{-} or if no files are given
@command{md5sum} computes the checksum for the standard input.
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), (continued)
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/03
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/04
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Simon Josefsson, 2010/08/04
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paolo Bonzini, 2010/08/04
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/05
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paolo Bonzini, 2010/08/06
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/06
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Simon Josefsson, 2010/08/08
- bug#6789: MD5 is broken, Bruno Haible, 2010/08/08
- bug#6789: MD5 is broken, Paul Eggert, 2010/08/09
- bug#6789: MD5 is broken,
Pádraig Brady <=
- bug#6789: MD5 is broken, Bruno Haible, 2010/08/14
- bug#6789: MD5 is broken, Pádraig Brady, 2010/08/14
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/08
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/09
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/10
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/11
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/09
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/09
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Bruno Haible, 2010/08/09
- bug#6789: propose renaming gnulib memxfrm to amemxfrm (naming collision with coreutils), Paul Eggert, 2010/08/10